Blog: Security and Compliance

If you are using the Firefox browser, you need to make sure you are aware of the security extensions available to Firefox to help protect you while surfing the Internet.  These extensions; including BetterPrivacy, BlockSite, Dr. Web Anti-virus, FormFox, Ghostery, Locationbar, NoScript, Password Hasher, QuickJava, and Web of Trust are effective in helping protect from worms, hackers, phisher, etc.  While these extensions (and other security software and tools) can be valuable and effective, there is still no better security feature than good, solid, common sense.

To learn more about the security extensions available to the Firefox browser, visit http://news.cnet.com/8301-17939_109-10249214-2.html?tag=newsLatestHeadlinesArea.0

The FTC has delayed the enforcement of the new "Red Flags Rule" again.  The new enforecement date is now extended to August 1, 2009.  This does NOT affect other federal agencies' enforcement of the original November 1, 2008 dealine (i.e. FDIC, OCC, Federal Reserve, OTS, NCUA).

To read the Press Release visit http://www.ftc.gov/opa/2009/04/redflagsrule.shtm

We recently noticed a situation where our clients systems were not getting Daylight Savings Time (DST) or Windows Malicious Software Removal Tool updates. After researching I found that Microsoft classifies some updates as Update Rollups in WSUS.

• Cumulative Security Updates for ActiveX Killbits
• Updates for Intelligent Message Filter for Exchange
• Daylight Savings Time updates
• Windows Malicious Software Removal Tool

So, you must  select Update Rollups in order to have them available in WSUS.  For any given product or product family, updates could also be available among multiple classifications (for example, Windows XP family Critical Updates and Security Updates).

The following table lists examples of update classifications: [more]

Update Classifications	Description
Connectors	Software components designed to support connection between software.
Critical updates	Broadly released fixes for specific problems addressing critical, non-security related bugs.
Development kits	Software to aid the writing of new applications that usually includes a visual builder, an editor, and a compiler.
Drivers	Software components designed to support new hardware.
Feature packs	New product functionality usually included in the next full product release.
Guidance	Scripts, sample code, and technical guidance designed to help in the deployment and use of a product or technology.
Security updates	Broadly released fixes for specific products, addressing security issues.
Service packs	Cumulative sets of all hotfixes, security updates, critical updates, and updates created since the release of the product. Service packs might also contain a limited number of customer requested design changes or features.
Tools	Utilities or features that aid in accomplishing a task or set of tasks.
Update rollups	Cumulative set of hotfixes, security updates, critical updates, and updates packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a specific component, such as Internet Information Services (IIS).
Updates	Broadly released fixes for specific problems addressing non-critical, non-security related bugs.

Just a friendly reminder at how easy it is to gain access to your files if your machine is running. I locked myself out of a Windows Vista virtual machine I was playing with (It wouldn't allow me to log onto the domain and I didn't have the local admin password). After some quick Google searching, I ran across the free Offline NT Password and Registry Editor. You boot to a light distro of linux, it copies the SAM database, asks what you want to do with the password (in this case, clear it), saves the SAM database back, and presto! You're in.  This also illustrates the importance of implementing full disk encryption.

A blog entry on Wired published a good animated overview of how a "Buffer Overflow" attack works.  In light of the new "Conflicker worm" that is gaining attention, this blog does a good job of explaining in a short, simple, interactive way, how buffer overflow attacks work.

http://blog.wired.com/27bstroke6/2009/03/conficker-how-a.html

About 2 weeks ago a new botnet worm called "psyb0t" was discovered according to DroneBL blog post (http://www.dronebl.org/blog/8).  This worm appears to be the first botnet worm to specifically target routers and DSL modems.  It is believed the worm has been active since at least January, and it is estimated that more than 100,000 hosts have been infected so far.  The worm was first discovered by DroneBL as part of an investigation into the DDoS attacks against DroneBL's infrastructure.  A few of the malicious things the worm is designed to do include; harvest account information (usernames & passwords) through deep packet inspection, attempt to brute-force accounts, and can scan for exploitable phpMyAdmin and MySQL servers.

During IT audits, we routinely see banks granting all or some of their users local administrator rights on their PCs.  They are usually forced into allowing this level of access due to some software that will not work correctly without local administrator rights.  However, they can mitigate some of the risk by using a utility called DropMyRights.

In a recent Security Now! podcast, Steve Gibson talked about the DropMyRights utility.  It was written by a Microsoft engineer.  It allows you to run specific programs with less rights than your user account normally has.  For example, if you are given local administrator rights because the core banking software requires it, you can use DropMyRights to help protect yourself when running web browsers or your email client.  Simply create a shortcut for each program using DropMyRights in the command line.  For example, you could use the following command line to run Internet Explorer under a non-admin user context: [more]

C:\utilities\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe"

Links to the utility and supporting documentation can be found on Steve Gibson’s website: http://www.grc.com/sn/notes-176.htm

From Adobe:

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe states that no update is currently available, but they expect to have an update released by March 11th, 2009. In the mean time, customers are encouraged to keep their virus definitions current and real-time scanning active.

For more information about specific vulnerabilities, please refer to the following websites: [more]
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://www.kb.cert.org/vuls/id/905281

You might have heard the publicity that Octoshape received after Obama’s inauguration.  They used “Octoshape Grid Delivery.” Octoshape’s “grid streaming technology” is just a peer to peer network, like bittorrent, except it is geared toward live streams.

There are a number of issues with this including:

Cost-shifting to ISPs and users without informing them (approximately 30% of the bandwidth for CNN’s live stream comes from peers).

Crazy license agreement.  Here are a couple of quotes from their EULA (http://www.octoshape.com/files/EULA.html) which you have to go digging on their web site for: [more]

“You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information.”  You mean I am violating to EULA if I try to see what is using up my upstream bandwidth?

“Accordingly, you hereby grant permission for Octoshape and other end users of the Software to utilize and share the processor and bandwidth of your personal computer system for the limited purpose of facilitating the communication between you and other end users of the Software, including Octoshape.”  Including Octoshape?

Company policies may exist concerning outbound traffic and the user would be telling any number of others what video stream they are currently watching.  Of course, there could be security vulnerabilities that could be exploited.

To learn more here is an article I recommend and it has plenty of links in it to follow: http://windowssecrets.com/2009/02/05/01-Watch-a-live-video-share-your-PC-with-CNN

An open (non-commercial) peer to peer streaming solution is from the p2p-next consortium http://www.p2p-next.org.