Blog: Security

I was trying to use Cisco’s Adaptive Security Device Manager (ASDM) to connect to our ASA in the office.  I was getting an authentication error but I knew my credentials were correct and it was working for another engineer.  The Java console contained the error “java.io.IOException: Authentication failure”.  I found several references to proxy issues related to this error, so I went to the Network Settings section of the Java app in the control panel and manually specified our proxy server (including the local bypass addresses) and it started working.  The proxy setting was set to “use browser settings” but obviously this wasn’t working.


 

I created a new tool to add to my arsenal of PGP recovery items. This came up when I really needed to do some file level work on a PC that wouldn’t boot and I couldn’t conduct a repair or get to the files because of the PGP whole disk encryption. I was able to take the Automated Installation Kit for Windows 7 and create a WinPE recovery ISO. From there, I found a PGP document (https://support.pgp.com/?faq=1526) that gave the steps as to how to inject the PGPWDE drivers in order to get authenticated.

Essentially, you can boot to this disk, run the command "pgpwde --disk 0 --auth -p <passphrase>" and from there, you can determine the encryption status, decrypt/encrypt disks, perform file level actions, add/remove passphrase users. One potential use for this, that I did not test, would be to boot to this disk, become authenticated, eject the disk and insert a Windows 7 installation disk, and perform a repair on the OS. The only potential problem I could see with this is if the Win 7 installation wrote over PGP’s MBR, but I’m sure that’s not too difficult to fix. In either case, it could potentially save a few hours of rebuilding time.


 

The Federal Financial Institutions Examination Council (FFIEC) issued an updated Retail Payment Systems Booklet.  The booklet is part of the IT Examination Handbook series and provides guidance to examiners, financial institutions, and technology service providers (TSPs) on identifying and controlling risks associated with retail payment systems and related banking activities.  To download the booklet and associated workprogram, visit http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html


 

The American Bankers Association (ABA) has published a news release warning its members of a fraudulent email attack, an attack commonly referred to as phishing.  According to the ABA, the emails inform recipients that an “unauthorized transaction” has been charged to their account using their “bank card.”  The amount of the transactions is typically between $3,000 and $7,000.

In the news release, the ABA states they would never contact a consumer and ask for financial information.

To read the news release from the ABA, visit http://www.aba.com/Pressrss/012610FraudulentEmails.htm


 

I installed Intel Turbo Memory driver update - but it also updated the Intel Matrix Storage Manager & Turbo Memory driver.  After the installation there were two entries in Programs and Features - one just for the Turbo Memory driver and one for the Matrix Storage Manager & Turbo Memory.

After this installation, my PGP single sign-on stopped working.  I would enter a pass phrase at boot and then credentials again when Windows started.  I changed my password to get things synched back up and it still didn't work. [more]

I uninstalled the Turbo Memory driver, after which there is only one related Intel entry in Programs and Features and now it doesn't mention Turbo Memory.  Then I rebooted and still had to use the old Windows password in the PGP boot loader and the new one when Windows started up.  However, this time, when booting into Windows, it gave me a password error before asking for the correct one (i.e., PGP had passed the old one through this time - I could have saved a password change).  After I entered the correct password things worked correct at the next boot.


 

On a recent IT audit, the bank was using a Samba directory instead of Microsoft’s Active directory for user authentication on their workstations.  We use an audit tool called DumpSec to dump the user accounts out of Active Directory.  However, when I tried to use it on the Samba directory, I got an error message and a partial list of users (about 6 accounts out of 85).  After trying several fixes, including joining a VM to the domain and running DumpSec using the root credentials, I unchecked the “Show computer accounts” option in DumpSec (see screenshot below) and it worked. [more]


 

A user a one of our client's site was experienc an issue where a Symantec Antivirus full scan was started when the user logged in every morning.  The scan was scheduled to run at 1:00 AM, but it seemed to be ignoring the schedule.  The problem was caused by the computer being in sleep mode during the evening when the scan was scheduled to run.  The scheduled scan would not bring the computer out of sleep mode to run the scan at the scheduled time.  As soon as the started to login the computer would come out of sleep mode and the scan would start.  The power saving options are a per use setting.  Without group policies in place, this setting must be completed for each user on each computer.


 

Many people received a phishing e-mail with the Subject "FDIC has officially named your bank a failed bank" yesterday appearing to come from the FDIC.  The text from the fraudulent e-mail would appear something like:

You have received this message because you are a holder of a FDIC-insured bank account.
Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets.

You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
  • Visit FDIC website: (a fraudulent link was provided here)
  • Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

It appears this is a new phishing attack where the intent is to attempt to collect personal or confidential inforamtion.  Recipients of this e-mail should be warned of its nature and encouranged NOT to follow any of the links from the e-mail.

Here is the link to the FDIC Consumer Alert published October 26, 2009 - http://www.fdic.gov/consumers/consumer/alerts/


 

I was testing a new VMware security application (Tripwire ConfigCheck).  I downloaded it to a virtual machine and followed the instructions to run the application (a cmd file), but it didn’t run – I edited the cmd file & added a pause to see if I could tell where it stopped & it appeared to be before calling a .jar file – I did not have Java installed, so I installed Java & tried again – still failed – I read the instructions & found it supports JRE 1.5 or higher, but just in case, I installed the older version (1.5) to see if it would work – still didn’t work – finally, I opened up a command prompt & ran the cmd file from there & received an error that stated your display settings must be at 1024 X 768 for the application to run – my virtual system resolution was too low ...


 

During a recent information security audit, I ran across a “unified threat management” system that I had not seen before called Untangle (www.untangle.com).  The bank was using it in place of a traditional firewall.  According the Untangle website, the Untangle Gateway is “the world’s first commercial-grade open source solution for blocking spam, spyware, viruses, adware and unwanted content on the network, provides a free and better alternative to costly, inflexible proprietary appliances.”  The interesting part is that the gateway runs on Linux and all the “modules” (firewall, IPS, web content blocker, etc.) are open source downloads, so the gateway is a free download.  Additionally, the source code for the Untangle gateway is available for download. [more]

You can choose to pay for certain modules such as Untangle support, an Active Directory connector, Kaspersky virus blocker, etc..  However, the rest of the modules can be downloaded and installed from a very simple GUI for free.  So far, I have not been able to find any major vulnerabilities or issues with this software.  Their target market is small to medium businesses that don’t want to pay the big bucks for Cisco, SonicWall, and other proprietary appliances.

Untangle also makes another product called “Re-Router” that is a network gateway/proxy server that runs in background on a Windows XP workstation.