Roger's Information Security Blog

Woman steals WiFi, demands Leo Laporte return it to her

Sun, 28 Feb 2010 23:04:14 -0500

People's sense of entitlement about things they are stealing.

Patching Adobe Acrobat and Reader

Sat, 27 Feb 2010 19:59:31 -0500

Adobe Reader 9.3.1 is a msp file that can only be applied to Adobe Reader 9.3. So what to do about the users that hadn't installed 9.3 yet. I really didn't want them to install 9.3 then have 9.3.1 install immediately after that. That sort of thing sets user revolt in motion.

So I searched and found a Adobe TechNote on deploying Adobe Acrobat and quarterly updates in one install..

If you've used MSPs before you're probably already familiar with how to do this.

msiexec.exe /i "[UNC PATH]\AcroPro.msi" PATCH="[UNCPATH]\AcroProStdUpd910_T1T2_incr.msp;[UNCPATH]AcrobatUpd912_all_incr.msp TRANSFORMS="1036.mst"

So I went to town, stringing together the path to all the MSP updates. Good Lord! There are a lot of them.

So after I did that for Reader and Acrobat 9, and tested it all out, I found another Adobe TechNote. "Install Acrobat 9 and all patches in one step with Adobe Bootstrapper (Setup.exe) and patch sequencing". This method is much easier. No mistakes with quotes in the commandline. Users installing from the file server they can just run the same EXE they always have rather than running a bat file. The same problem exists in that if they run the MSI instead not only do they not get the custom config (MST), now they miss the patches.

This article has you list the patches in setup.ini. You just add the list of patches to the product section.

[Product]PATCH=AcroProStdUpd910_T1T2_incr.msp;AcrobatUpd912_all_incr.msp;AcrobatUpd913_all_incr.msp

This is really awesome. Now my helpdesk when they install Adobe Acrobat 9 wont accidently leave the user with the 9.0.0. That is the version of the original install files. And when we upgrade Adobe Reader, it will be alot easier for the users.

Unfortunately my day didn't end there. I looked at our deployed systems. While there was very little Adobe Reader 8 (so I can skip that), we actually have more Adobe Acrobat 8 installed than Acrobat 9. So I sat down to recreate what I did for Acrobat 9. Guess what, it didn't work! After trying many different things, I stumbled across another technote. "Install all Acrobat 8 patches in one step with Adobe Bootstrapper and patch sequencing". Apparently the Adobe Bootstraper (setup.exe) in my 8.1 CD was customized. Once I downloaded the setup.exe linked in that TechNote, it worked. I was able to run the Adobe Acrobat 8 setup.exe and install the current 8.2.1 version.

Up next is writing a script to install Acrobat patches for the users. Currently because its not standard software, we ask the users to do the updates.

Up next after that is the next Adobe security updates. I'm sure there are some just around the corner like the Adobe Download Manager bug.

Dumb Ideas in Pentesting

Mon, 22 Feb 2010 12:22:18 -0500

Today's SANS Diary reminded me of something that happened a while back.

The SANS entry New Risks in Penetration Testing was concerned that reputational scoring for an IP could be effected by pen testing from that IP address. I guess someone is taking the old Senderbase concept and applying it to all traffic.

The helpdesk received an issue a while back about an inability to communicate with a government website. After checking it out, it looked like they were blocking our external IP. We communicated with the government people and confirmed that their ISS IPS appliance had automatically blocked our IP because we were attacking them. I checked the logs and found that one of our people that pentests for a living had done some probing of XSS on a Wordpress blog hosted on the government site. I turned that over to someone else to find out if he had authorization to be doing such.

Probing other companies from your companies main IP address is not such a good idea.

Firefox Updates

Wed, 17 Feb 2010 23:18:30 -0500

Firefox 3.5.8 and Firefox 3.0.18 have been released to resolve several security vulnerabilities.

Dear Abby on Password Secrecy

Wed, 17 Feb 2010 20:28:33 -0500

Today's Dear Abby contained a letter about passwords. Its the third letter at this link

The letter writer warns against sharing your passwords with anyone. The writer recounts instances where a password shared at one point in a relationship becomes a weapon when the relationship turns sour. People, after the divorce is finalized you need to make sure your ex doesn't have your bank passwords.

Didn't expect to be getting security advice from Dear Abby. If these people had followed the standard security advice to use different passwords for each account and change them regularly that alone would have prevented this breach.

Security Advisory for Adobe Reader, Acrobat and Flash

Thu, 11 Feb 2010 20:00:34 -0500

Adobe has released a Security Advisory for Adobe Reader and Acrobat (APSB10-07).

Adobe is planning to release updates on 2/16/2010 to resolve critical security issues.

Adobe has released a security update for Adobe Flash and Adobe AIR.

Common Sense

Mon, 08 Feb 2010 20:23:59 -0500

Does anyone really think that sneezing into your arm is common sense? I suspect that if you do you must have small kids and have been trained by some sort of Elmo video. I dont recall any mass agreement on sending snot flying into my shirt sleeve as a method of good hygiene.

At Shmoocon Bruce Potter compared the common sense of sneezing into your sleeve (to him apparently a good thing) with common sense security steps. Maybe he's right, a password policy is kind of like getting snot all over yourself.

My notes seem to have mangled the opening remarks from Shmoocon 2010. The general summary is that its a waste to spend a boatload of money on security when you dont have your policies and procedures clear. You've got to start with the basics.

A password policy needs to be applied consistently across all systems. Often the development can be compromised and then hop back across to the production systems. The dev systems need policy as well.

Network segmentation is important. Soft guey center anyone?

Auditing. If you aren't watching, how do you know something bad happened.

We laugh at the TSA, but they have fair less fail in their results.

Unicorn sighting

Sun, 07 Feb 2010 00:15:46 -0500

A few weeks ago my officemate posted to Facebook,

I've just been told by two different Mac Geniuses that installing an antivirus software could actually make the Mac computer less secure. Unfortunately, both were phone conversations because I'm almost certain they were doing the Jedi mind trick hand motions.

As I read that, I figured this was Mac users in our company fighting our policy requiring antivirus for Macs. Certainly antivirus can slow a system. And any software can have vulnerabilities. But this wasn't about that. No this was actual honest to god responses from Apple support. My officemate wanted to know if this was official policy. So he asked for it in writing. That got him escalated to the next level where he was apologetically told it was not Apple's policy that antivirus is not necessary.

I thought of this today as Graham Cluley tweeted links to a couple video blogs from last year. Unicorns have been spotted, Malware for the Mac does exist. Now to be fair these examples are largely social engineering. Just because its not a zero day doesn't mean the systems isn't owned. Fake Codecs and Fake anti-maiware aren't the exclusive providence of Microsoft Operating Systems.

Shmoocon versus the Snowpocalypse

Sat, 06 Feb 2010 10:38:24 -0500

Shmoocon is this weekend. The city is starting to look like something from The Day After Tomorrow.

I live in the DC suburbs, and had considered grabbing a hotel room to take part in what has to be the crazyest Shmoo ever. The hotel rates when I checked online were lower than the Shmoo rate. But then I'd still have to pay a insane rate for hotel garage parking. And the Donner party jokes were worrying me too. I could see the hotel running out of food and everything else being closed.

I drove into Ballston on Friday. In December Metro closed the above ground stations without a lot of warning. I knew they'd do it again if snow got to 8 inches, Ballston is the last underground station on the Orange line. Metro didn't close the above ground lines until 11 pm so that move was unnecessary. The drive back from Arlington out to Clifton was fun.

Today there is no way I'm getting out, so I'm watching what I can on live streaming. I'll review my notes from yesterday and post if I can come up with anything semi-coherent.

January Patches

Mon, 01 Feb 2010 20:29:03 -0500

After a fairly light December patching load, January took no prisoners.

Microsoft's patch Tuesday had just one patch, MS10-001. But they made up for that with an out of band update later in the month MS10-002. They also put out a bulletin warning about old flash installs.

Adobe and Oracle piggybacked on patch Tuesday to release updates as well. Vendors pretend its more convenient for people to get all their patches at once, but Its more about losing their own vulnerability announcements in the crowd. Adobe Reader is installed on most machines, so deploying Reader and Acrobat updates is kind of a big deal.

To keep admins on their toes, Adobe also released security updates for Shockwave and Illustrator.

Real Player kept its name in the news with a security update of its own. While it lacks its once ubiquitous presence, it is another thing to watch for.

Firefox released 3.6. Fortunately , this was about new features not security fixes.

Apple not wanting to feel left out released a mega security update rolling up multiple patches.

Wireshark 1.2.6 came out with a couple of security updates.

If you're responsible for patching in the enterprise looks like you picked the wrong month to stop sniffing glue.

For home use, I use the Secunia Personal Software Inspector in advanced mode. They are now a bit better about prompting you to exclude directories like i386 to avoid nagging you about things that aren't a problem.

Symantec False Positive in Flash install file

Thu, 28 Jan 2010 11:07:36 -0500

I noticed a bunch of computers reporting install_flash_player.exe as a Trojan Horse this morning. My first stop was the Symantec Forum where a bunch of users were already discussing this.

Since it appeared to be a false positive in an older install file for Adobe Flash, I set out to see which version of Flash was getting hit. Adobe has a archive of Flash players. I downloaded a zip with every version of Flash 10 and unzipped it to my hard drive. I got a detection on flashplayer10r22_87_win.exe. Once that was quarantined the easiest thing to do was go into my local quarantine, right-click and submit to Symantec.

A Symantec support employee points out the KB for false positives and the virus submission website https://submit.symantec.com/websubmit/gold.cgi. To use that I would have had to disable real time protection, and unquarantine the file. So it was easier to submit from within Symantec. I'm running 1/27 r49 definitions.

Adobe Shockwave Update

Tue, 19 Jan 2010 23:44:58 -0500

Adobe has released an update for Shockwave to patch security vulnerabilities. A security bulletin was released today.

As usual Adobe is giving enterprise admins the finger by advising to upgrade Shockwave, you must first uninstall old Shockwave versions, reboot and then install the new version of Shockwave. Does anyone actually do that? I dont know about anyone else, but I try to minimize the disruption of my patching program. Part of that is limiting reboots. I can't think of another application that makes such unreasonable demands. Fortunately I've ignored rebooting while upgrading Shockwave and it hasn't caused me any major issue yet.

I also wonder where Shockwave fits into Adobe's security program. If its so important that Adobe Reader only be upgraded on a planned quarterly basis, then why isn't Shockwave updated in the same predictable manner? (BTW, I dont find it helpful to have all my patches released on the same day. I dont find it feasible to deploy all these patches at the same time, so some items will not be patched as quickly. When a patch is released (assuming there wasn't already a zero day) there is a mad dash by the bad guys to reverse engineer the patch, find the vulnerable code, and develop an exploit. So releasing the patches any week other than the second week would be preferable.)

if someone finds a Flash zero day next week, I'm going to think someone declared an unofficial "Month of Adobe bugs".

TweetBrawl

Mon, 18 Jan 2010 00:43:33 -0500

Looks like Purewire has taken a page from AOL's AIM Fight and have put up Tweet Brawl

AIM Fight attempts to determine how popular you are right this second by looking at your online buddies and their online buddies out to the third degree of separation. It actually uses people connected to you so you can't game the system by friending the world (like that stupid Luke Wilson AT&T ad).

TweetBrawl is merely follower based. The results aren't going to change unless someone loses or gains a lot of followers.

If you want to follow me at @infosectweet maybe I'd have a chance of wining one of these things.

Microsoft Security Advisory for Flash

Tue, 12 Jan 2010 21:00:38 -0500

Microsoft published a security bulletin for Flash 6 which is included in Windows XP. MSKB 979267 recommends removing Flash 6 and installing the latest version of Flash from Adobe.

Maybe its just me, but I think since Microsoft included Flash 6 in the default XP install, shouldn't they be responsible for patching it? Flash should be part of Microsoft Update.

Fortunately Flash 6 is ancient. I believe a lot of Flash content will prompt you to upgrade to Flash 8 or 9 rather than allow you to use such an old version. Even so, a lot of vulnerable Flash remains.

SEPM Y2k.1

Tue, 12 Jan 2010 20:34:39 -0500

As anyone using Symantec Endpoint Manager (SEPM) to manage SEP11 clients should already know, SEPM has an issue where it thinks virus definition updates from 2010 are older than updates from 2009.

If you aren't on top of this, you should be subscribed to Symantec emails here. I'd also apparently subscribed to something at the Symantec Forums at www.symantec.com/connect.

Symantec is just now starting to push out patches. Currently patches are available for 11.0.3. Keep an eye on this knowledge base article for updates.

So far this has caused three problems that I care about.

1. We use Forescout Counteract to monitor for virus definitions more than a week out of date. I came in one day and found all my computers in the "old definition" group. The defined action was run live update once. That wasn't too big a problem.

2. Like most SEP admins, I have SEP configured to use SEPM for updates when on my corporate lan or VPNed in, but use Symantec's liveupdate servers when on the Internet. Its important for people to get updates even when away from the office, and that is a simpler solution than putting a live update server in the DMZ. The problem is the Y2K.1 issues was specific to SEPM. As a result Symantec foolishly used different virus definition numbers for their liveupdate servers and for updates through SEPM. So my internal clients are getting 12/31/2009 rev xyz definitions (where xyz is a incrementing number) and people who update directly from Symantec get normal updates dated today. If you are external to the company and you update from Symantec, your defs are dated 1/10/2010. If you go back to work, the defs offered from the server are 12/31/2009. You'll never get updated while on the corporate network until Symantec fixes the original problem. To my understanding is you are now out of date. Kind of a big problem

3. Symantec by default notifies users of managed clients when the virus definitions are more than 30 days old. I take this to mean that unmanaged systems get no notification by default. In my environment managed systems are set to notify users if the virus definitions are more than 14 days out of date. Since we're coming up fast on January 14th, I've disabled the notification. Of course any computer that isn't on our network in the next couple of days wont get the new configuration.

Hopefully Symantec will get this issue resolved soon. Not sure why they couldn't be ready to patch all SEPM builds at once. Why is MR3 so favored?