Posts

Showing posts from 2006

...and break the cycle they did.

I was more than pleased to see Microsoft step out of the monthly patch cycle to release MS06-055. Hopefully, this rare event will reoccur as necessary.
Microsoft patch statistics continue to bode poorly for IE. According to the Symantec Internet Security Threat Report, Trends for January 06 - June 06, "Microsoft had the longest exposure-to-patch time in the browser industry...it took Microsoft an average of nine days to issue a bug fix, while Apple published a patch within five days, Opera within two days and Mozilla within one day." In my previous post, where I mentioned three days for Mozilla to patch, I was obviously overstated their average.
To be fair, MS is making strides on the OS front. Again, from Symantec's report, "Microsoft, however, leads the ranking in the operating system segment: The exposure time of a Windows security issue was 13 days; Sun had the longest patch release time with 89 days followed by HP with 53 days. Apple took an average of 37 days. …

It's time for MS to break their patch cycle.

At what point did Microsoft completely lose touch with reality?
No no...not when they thought the Internet was a passing fad, or when BG said we'd never need more the 640k RAM, or when they flip-flopped on a SQL backend for Exchange and kept the Jet db engine.
I'm talking about Black Tuesday, Patch Tuesday...Microsoft's "that time of the month."
Enough already. The MSIE VML vulnerability drives home three key points.
1) The shortcomings in MS product and code are likely to remain perpetual and inevitable.
2) Bright, capable, well intended engineers will release their own patches in the hope of filling the gap until the next Patch Tuesday. Kudos to the Zeroday Emergency Response Team: ZERT
3) MS needs to buck up, admit to the fact that they're far from perfect, work with the community to improve their code and react faster, and ultimately, BREAK THE 30 DAY PATCH CYCLE, when necessary. No 0-day vulns? Fine, but when one is made public, rally the troops, write the p…

Christopher Maxwell, botnet master, sentenced to 3 years +

I was in attendance at the four hour sentencing hearing for Christopher Maxwell, the botnet master. After extensive testimony from the investigating agent Dave Farquhar, as well as representatives from Northwest Hosptital, the DoD, and a California school district, Judge Pechman spoke at length and eloquently about her decision to send Mr. Maxwell to prison.
Where Asst. US Attorney Kathryn Warma sought 6 years imprisonment, the defense sought probation. The judge, after much thoughtful deliberation, gave him three years, followed by three years probation, and more that $250,000 in restitution to Northwest Hospital and DoD. He may well pay more to the school district too.
By any real standard, Mr. Maxwell's life is ruined, thanks to sadly flexible morals and the desire for easy cash.
It's a shame as, on one hand I felt bad for him, as I watched his family weep and pray, and noted his own readily visible emotions. He was indeed remorseful and accepted responsibility for his actio…

Snort management scripts

In a recent thread on the Internet Storm Center I offered some scripts that I wrote entirely for convenience at the shell prompt. Save each as the # commented title, add them to your working directory, chmod a+x them, and use at will:

For Bleeding-Edge rules, I prefer the single bleeding-all.rules so I use this to update it rather than Oinkmaster:

#bleedingpig
cd /etc/snort/rules/
rm -f bleeding-all.rules
wget http://www.bleedingsnort.com/bleeding-all.rules
-----------------------
To fire Oinkmaster manually rather than cron:
#oink
oinkmaster.pl -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
-----------------------
To kill the daemon:
#killpig
killall snort
-----------------------
To confirm Snort process state:
#pigps
ps aux | grep snort
-----------------------
To confirm Snort running cleanly after config or rule changes:
#pigchk
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -v
-----------------------
To start the daemon:
#pigd
/usr/local/bin/snort -c /etc/snort/snort.conf -i e…

RE: Hackers and Employment - What the heck's wrong with us?

Hackers and Employment - What the heck's wrong with us?
This essay describes a scenario that has long bothered me to no end.
What place does a hacker with obvious moral flexibilty have in our
enterprises? Certainly they may be talented and quite brilliant, but can
they truly be trusted?
An associate, whose views I respect greatly, said this regarding
Mitnick's books. "I'll check them out of the library and read them for
the value they hold. But I won't buy them, I simply can't fund the
depravity."
The essay's author is right. We willingly pay for the breakdown of
simple societal standards that not so long ago were the expected norm.
Is it too much to ask that our information be safe, our systems
unhindered by malware designed to rob us financially and strategically,
and that organizations will choose not to hire the morally flexible?
Sadly, we know it is too much to ask.
But, I for one, will continue in my quest to protect that information,
those systems, and the peo…

3rd Party Patches while Microsoft waits

It's bad enough that they leave the front door wide open See: Video of IE Exploit (createTextRang) using the latest Metasploit code.
Then Microsoft has to wait until patch Tuesday to release a fix for the latest IE issue. "Fine", say the brave and intrepid. Just like the WMF hole, well patched by Ilfak Guilfanov, now eEye and Determina have released their own patches for the MS Internet Explorer (createTextRang) vulnerability. See: Security Watch: Zero-Day Attack Advances Unpatched.
Is there a new industry on the horizon? Perhaps not a pay-per-use model, given the short life cycle before Patch Tuesday, but perhaps corporate sponsorships from those who seek glory in the face of the evil empire. Seems unlike Microsoft to create a market they can't corner, but who knows.

SSL-Explorer: Browser-based Open Source SSL VPN Solution

I've been waiting for a solution like SSL-Explorer to come along.
SSL VPN is undoubtedly the VPN solution that many enterprises will be moving to. Yes, the cost for appliance based SSL VPN platforms has dropped dramatically with the SonicWALL SSL-VPN $200 coming in around $450 to $600. But if you want to roll you own, SSL-Explorer is the way to go. A single port-forward to a dedicated SSL-Explorer server and you're on your way.
From Nottigham, UK comes 3SP and SSL-Explorer, described as "the world's first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser."
I've successfully deployed this solution in a development environment and found it easy to install, quick to configure, and popular with users.
May I suggest trying it for yourself here: SSL-Explorer.
SSL-Explorer can leverag…

Google Desktop's latest "enhancement"

Google announced it's latest "enhancement" to it's Google Desktop software on February 9th. I've by no means been a proponent of the sofware since its inception, and now this is truly ridiculous.
According to the Electronic Frontier Foundation "the new Search Across Computers feature will store copies of the user's Word documents, PDFs, spreadsheets and other text-based documents on Google's own servers, to enable searching from any one of the user's computers."
First the goverment wants access to Google search logs, now this.
In a nut shell, if you've installed this software and your Google account is compromised, your entire file system, on all the computers you've installed Google Desktop, is completelty available. A hacker's "one-stop-shop" if you will.
Worse still, "the government could then demand these personal files with only a subpoena rather than the search warrant it would need to seize the same things fro…