Monday, October 02, 2006

...and break the cycle they did.

I was more than pleased to see Microsoft step out of the monthly patch cycle to release MS06-055. Hopefully, this rare event will reoccur as necessary.
Microsoft patch statistics continue to bode poorly for IE. According to the Symantec Internet Security Threat Report, Trends for January 06 - June 06, "Microsoft had the longest exposure-to-patch time in the browser took Microsoft an average of nine days to issue a bug fix, while Apple published a patch within five days, Opera within two days and Mozilla within one day." In my previous post, where I mentioned three days for Mozilla to patch, I was obviously overstated their average.
To be fair, MS is making strides on the OS front. Again, from Symantec's report, "Microsoft, however, leads the ranking in the operating system segment: The exposure time of a Windows security issue was 13 days; Sun had the longest patch release time with 89 days followed by HP with 53 days. Apple took an average of 37 days. Red Hat matched Microsoft's time of 13 days."
So, two up, one down for MS...better, getting better.

Saturday, September 23, 2006

It's time for MS to break their patch cycle.

At what point did Microsoft completely lose touch with reality?
No no...not when they thought the Internet was a passing fad, or when BG said we'd never need more the 640k RAM, or when they flip-flopped on a SQL backend for Exchange and kept the Jet db engine.
I'm talking about Black Tuesday, Patch Tuesday...Microsoft's "that time of the month."
Enough already. The MSIE VML vulnerability drives home three key points.
1) The shortcomings in MS product and code are likely to remain perpetual and inevitable.
2) Bright, capable, well intended engineers will release their own patches in the hope of filling the gap until the next Patch Tuesday. Kudos to the Zeroday Emergency Response Team: ZERT
3) MS needs to buck up, admit to the fact that they're far from perfect, work with the community to improve their code and react faster, and ultimately, BREAK THE 30 DAY PATCH CYCLE, when necessary. No 0-day vulns? Fine, but when one is made public, rally the troops, write the patch, and put it on the street.
The Mozilla group is a great example. Firefox has been far from perfect, no doubt. But have you ever seen a three week delay between when the vulnerability is publicized and when their fix is released? Try three days. That's how you do it.

The more MS waits, the more soft spots are found in their code, the more reason they offer consumers to turn to other product. They lost me long ago, but what of the millions more they stand to lose? Is it so naive to believe that, by opening up a bit, and avoiding the uber-monolith mentality, Microsoft could vastly improve its image and market share?
Case in point: I'm writing on the best piece of hardware I've ever met, a MacBook Pro.

Saturday, August 26, 2006

Christopher Maxwell, botnet master, sentenced to 3 years +

I was in attendance at the four hour sentencing hearing for Christopher Maxwell, the botnet master. After extensive testimony from the investigating agent Dave Farquhar, as well as representatives from Northwest Hosptital, the DoD, and a California school district, Judge Pechman spoke at length and eloquently about her decision to send Mr. Maxwell to prison.
Where Asst. US Attorney Kathryn Warma sought 6 years imprisonment, the defense sought probation. The judge, after much thoughtful deliberation, gave him three years, followed by three years probation, and more that $250,000 in restitution to Northwest Hospital and DoD. He may well pay more to the school district too.
By any real standard, Mr. Maxwell's life is ruined, thanks to sadly flexible morals and the desire for easy cash.
It's a shame as, on one hand I felt bad for him, as I watched his family weep and pray, and noted his own readily visible emotions. He was indeed remorseful and accepted responsibility for his actions.
But my compassion began to fade as, in his own opportuntiy to speak to the judge, he suggested he might best serve time by speaking to high school students and other youth groups about his wrong doing.
To this I say, three years in the hole will offer a far better deterrent than Mr. Maxwell on a speaking tour, elevated to a status he is not worthy of.
Yes, his sole intention was propogating adware for pay, and even with root access to machines, he did no further damage and stole no information.
But botnets for dollars, or any other nefarious purpose, could have, quite simply in this case, cost someone their lives. Northwest Hospital continued to operate thanks to good disaster planning, but what if they hadn't? What if someone was misdiagnosed or issued the wrong medication as a function of Mr. Maxwell's criminal acts?
Both the Assistant US Attorney and Judge Pechman spoke directly of the need for deterrence. Yes, it may not help with our friends overseas, but maybe, just maybe, some script kiddie in a basement somewhere will now think twice before firing up an IRC server and letting loose with the malware.
To Asst. US Attorney Warma, Agent Dave Farquhar, and Judge Pechman I say, job well done.

Tuesday, August 15, 2006

Snort management scripts

In a recent thread on the Internet Storm Center I offered some scripts that I wrote entirely for convenience at the shell prompt. Save each as the # commented title, add them to your working directory, chmod a+x them, and use at will:

For Bleeding-Edge rules, I prefer the single bleeding-all.rules so I use this to update it rather than Oinkmaster:

cd /etc/snort/rules/
rm -f bleeding-all.rules
To fire Oinkmaster manually rather than cron:
#oink -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
To kill the daemon:
killall snort
To confirm Snort process state:
ps aux | grep snort
To confirm Snort running cleanly after config or rule changes:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -v
To start the daemon:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -D

Thursday, August 03, 2006

RE: Hackers and Employment - What the heck's wrong with us?

Hackers and Employment - What the heck's wrong with us?

This essay describes a scenario that has long bothered me to no end.
What place does a hacker with obvious moral flexibilty have in our
enterprises? Certainly they may be talented and quite brilliant, but can
they truly be trusted?
An associate, whose views I respect greatly, said this regarding
Mitnick's books. "I'll check them out of the library and read them for
the value they hold. But I won't buy them, I simply can't fund the
The essay's author is right. We willingly pay for the breakdown of
simple societal standards that not so long ago were the expected norm.
Is it too much to ask that our information be safe, our systems
unhindered by malware designed to rob us financially and strategically,
and that organizations will choose not to hire the morally flexible?
Sadly, we know it is too much to ask.
But, I for one, will continue in my quest to protect that information,
those systems, and the people who count on them, living by a solid moral
standard built on the premise of "first, do no harm."

Tuesday, April 04, 2006

3rd Party Patches while Microsoft waits

It's bad enough that they leave the front door wide open See: Video of IE Exploit (createTextRang) using the latest Metasploit code.
Then Microsoft has to wait until patch Tuesday to release a fix for the latest IE issue. "Fine", say the brave and intrepid. Just like the WMF hole, well patched by Ilfak Guilfanov, now eEye and Determina have released their own patches for the MS Internet Explorer (createTextRang) vulnerability. See: Security Watch: Zero-Day Attack Advances Unpatched.
Is there a new industry on the horizon? Perhaps not a pay-per-use model, given the short life cycle before Patch Tuesday, but perhaps corporate sponsorships from those who seek glory in the face of the evil empire. Seems unlike Microsoft to create a market they can't corner, but who knows.

Sunday, February 26, 2006

SSL-Explorer: Browser-based Open Source SSL VPN Solution

I've been waiting for a solution like SSL-Explorer to come along.
SSL VPN is undoubtedly the VPN solution that many enterprises will be moving to. Yes, the cost for appliance based SSL VPN platforms has dropped dramatically with the SonicWALL SSL-VPN $200 coming in around $450 to $600. But if you want to roll you own, SSL-Explorer is the way to go. A single port-forward to a dedicated SSL-Explorer server and you're on your way.
From Nottigham, UK comes 3SP and SSL-Explorer, described as "the world's first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser."
I've successfully deployed this solution in a development environment and found it easy to install, quick to configure, and popular with users.
May I suggest trying it for yourself here: SSL-Explorer.
SSL-Explorer can leverage Active Directory, and yet is licensed under the GNU General Public License and you can install it on Windows or Linux.
You can use the free version or opt for the supported, feature-rich SSL-Explore Xtra.
The feature list is long, just go check it out: SSL-Explorer.

Monday, February 13, 2006

Google Desktop's latest "enhancement"

Google announced it's latest "enhancement" to it's Google Desktop software on February 9th. I've by no means been a proponent of the sofware since its inception, and now this is truly ridiculous.
According to the Electronic Frontier Foundation "the new Search Across Computers feature will store copies of the user's Word documents, PDFs, spreadsheets and other text-based documents on Google's own servers, to enable searching from any one of the user's computers."
First the goverment wants access to Google search logs, now this.
In a nut shell, if you've installed this software and your Google account is compromised, your entire file system, on all the computers you've installed Google Desktop, is completelty available. A hacker's "one-stop-shop" if you will.
Worse still, "the government could then demand these personal files with only a subpoena rather than the search warrant it would need to seize the same things from your home or business, and in many cases you wouldn't even be notified in time to challenge it."
I can't say this enough, if you value your privacy and your personal security do not install this software under any circumstances.
More information:

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...