Blog: Security and Compliance

Symantec Endpoint Protection clients that have been cloned and rolled out for production may be misconfigured. I recently found out that Sysprep does not remove the hardware ID for SEP. Which prevents the client from appearing in the SEP console properly. Since all the systems will have the same hardware ID, as they check in it will replace the previous system that checked in. The clients will still receive updates, but the console will not allow you to track all the clients. To fix the problem a new hardware ID for Symantec must be created. [more]

  1. Delete %programfiles%\Common Files\Symantec Shared\HWID\sephwid.xml
  2. Open the registry and navigate to HKLM\Software\Symantec\Symantec Endpoint Protection\SMC\Sylink\Sylnk
  3. Edit the “HardwareID” value data to be blank
  4. Restart the Symantec Management Client (SMC) service in the services snap-in

 The client will generate a new unique Hardware ID and sephwid.xml


 

I think we all know better than to download executable programs (.exe's) from untrusted sources and run them.  Opening a Word document from an untrusted source could be dangerous.  Now, even opening a PDF file on a fully patched Windows machine with excellent, up-to-date anti-virus and malware software could cause your machine to get owned.

Didier Stevens, who has written some great PDF analysis tools, published a disturbing blog post the other day.  He demonstrates how to use an existing feature in PDF to execute a program on someone's computer when they open the document.  Adobe Acrobat Reader displays a message first, but the message can be changed to social engineer someone into clicking the Open button on the message.  And my favorite PDF reader, Foxit, does not even display this message.  Disabling javascript does not help. [more]

Here is the link to his article: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

I downloaded his extremely simple example and in a few seconds changed it run a batch script instead of cmd.exe.  It looks it would be trivial to make it run any sequence of commands desired.  Depending on the PDF viewer used on other operating systems such as Linux or Mac OS X, this same technique will work there.

When using Google, one might consider clicking on Quick View or View as HTML instead of viewing the actual the PDF file.

UPDATE:  Adobe finally responded to this, explaining simply how to disable this feature.  This sounds like a good thing to do for most users. http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html


 

I recently upgraded a Windows server to the latest version of Symantec Endpoint Protection and the server was no longer accessible on the network after the upgrade.  The server would not respond to network requests even though the console was working.  It turned out the full SEP feature set was installed, including the SEP firewall.  Additionally, now the firewall policy was applied to the server.  This caused the SEP firewall to isolate the server from the network. 

 To fix the problem I uninstalled Enpoint Protection and reinstalled without the firewall feature set.  I also applied a firewall policy just in case the firewall feature was installed on that server again.  My suggestion is to modify the SEP installation document, so that a firewall policy is not applied.


 

I was trying to use Cisco’s Adaptive Security Device Manager (ASDM) to connect to our ASA in the office.  I was getting an authentication error but I knew my credentials were correct and it was working for another engineer.  The Java console contained the error “java.io.IOException: Authentication failure”.  I found several references to proxy issues related to this error, so I went to the Network Settings section of the Java app in the control panel and manually specified our proxy server (including the local bypass addresses) and it started working.  The proxy setting was set to “use browser settings” but obviously this wasn’t working.


 

Conditions:

  1. Machines that used to run ISA Firewall client
  2. Uninstallation of ISA Firewall client
  3. New PROXY settings configured
  4. SEP 11.5 installed.

Many machines began getting errors in the application logs from Event Source: crypt32, Event ID: 8.  The description of the error says “Failed auto update retrieval of third-party root list sequence number from: [more]http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt”.

I eventually stumbled across a few forums that eventually led me towards this issue happening after installing SEP 11.5.  What seemed to be happening is that the machines attempted to update its root certificates from Microsoft Update at two hour intervals.  The machine will attempt to connect using the SYSTEM account, so it is important that this account also has the correct PROXY settings.  It is likely that after removal of ISA Firewall client, the settings for the SYSTEM account were left in the registry pointing to the old PROXY server. 

The SYSTEM account can always be found in the registry at HKEY_USERS\S-1-5-18. I found that on machines that were not working, the registry keys under HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings were pointing to the old PROXY script whereas the working ones were pointing to the correct PROXY wpad.dat configuration file.  I had to pull the settings from a newer system because this registry key is a binary key, so you cannot simply type the value.

Be sure that the machine also has unauthenticated user access allowed through any web filtering appliance to www.download.windowsupdate.com also.  
 
More information can be found at http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/1f626f1854285036802574e4002de4c7?OpenDocument


 

I created a new tool to add to my arsenal of PGP recovery items. This came up when I really needed to do some file level work on a PC that wouldn’t boot and I couldn’t conduct a repair or get to the files because of the PGP whole disk encryption. I was able to take the Automated Installation Kit for Windows 7 and create a WinPE recovery ISO. From there, I found a PGP document (https://support.pgp.com/?faq=1526) that gave the steps as to how to inject the PGPWDE drivers in order to get authenticated.

Essentially, you can boot to this disk, run the command "pgpwde --disk 0 --auth -p <passphrase>" and from there, you can determine the encryption status, decrypt/encrypt disks, perform file level actions, add/remove passphrase users. One potential use for this, that I did not test, would be to boot to this disk, become authenticated, eject the disk and insert a Windows 7 installation disk, and perform a repair on the OS. The only potential problem I could see with this is if the Win 7 installation wrote over PGP’s MBR, but I’m sure that’s not too difficult to fix. In either case, it could potentially save a few hours of rebuilding time.


 

The Federal Financial Institutions Examination Council (FFIEC) issued an updated Retail Payment Systems Booklet.  The booklet is part of the IT Examination Handbook series and provides guidance to examiners, financial institutions, and technology service providers (TSPs) on identifying and controlling risks associated with retail payment systems and related banking activities.  To download the booklet and associated workprogram, visit http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html


 

The RSA iPhone app displays a PIN to use for logging into a protected server.  The displayed PIN consists of two 4-digit codes separated by a space.   When you enter the code, do not enter the space.   The RSA software wants the numbers in one continuous block.


 

CoNetrix is pleased to announce the release of Tandem, new security and compliance software. Tandem was developed to help financial institutions complete and maintain an Information Security Program (per GLBA and the Interagency Guidelines Establishing Information Security Standards).  While Tandem was designed as a complete solution from the ground up, it was fashioned into modules which allow for versatility.  The modules include risk assessment, policies, vendor management, and business continuity planning.  Each module was released as it was completed.

To read the full press release, visit http://news.yahoo.com/s/prweb/20100216/bs_prweb/prweb3598024_2


 

The American Bankers Association (ABA) has published a news release warning its members of a fraudulent email attack, an attack commonly referred to as phishing.  According to the ABA, the emails inform recipients that an “unauthorized transaction” has been charged to their account using their “bank card.”  The amount of the transactions is typically between $3,000 and $7,000.

In the news release, the ABA states they would never contact a consumer and ask for financial information.

To read the news release from the ABA, visit http://www.aba.com/Pressrss/012610FraudulentEmails.htm