Tuesday, January 30, 2007

Predators and their Prey

An old joke in the security community is:

  • Two people are walking on the Serengeti and they notice a lion is stalking them.
  • The first person stops , pulls out running shoes and puts them on.
  • The second person states "You can't out run a lion."
  • The first person states "I don't I have to out run the lion. I have to out run you."

The moral is that the easiest "kill" is the one most often taken by the predators.

The corollary is that the predators would rather hunt large herds where the shear number almost guarantees a kill.

The corollary's moral is that since Windows is the biggest herd on the internet so make sure you'r not one of the slowest and weakest in the herd.

Personally my running gear consists of a hardware firewall, personal firewall, anti-virus and anti-spam. In addition to that I use Firefox with the noscript and Siteadvisor extensions.

Thursday, January 25, 2007

acroBat out of 'ell

I now know why Acrobat 7 doesn't have Acrobat 8 as an upgrade. So far it seems to be a downgrade in ease of use and quite slow.

Now I upgraded because lately there have been several issues with Acrobat 7 that were not
present in Acrobat 8. Additional details on the vulnerabilities at the end for those that wish more information.

Anyway I decided to update to Acrobat 8 only to losefunctionality and speed.

Its interface has changed and not for the better. When displaying documents in MS IE you are choices are limited to the Icons at the top and options available when you right click on the document. it doesn't have the convenient e-mail this file icon you have to save the document and e-mail it outside of the window. I do receive documents generated on the web that I do have to e-mail. When a document is displayed with the wrong orientation your only choice is to right click "rotate clockwise" which works but may need 3 rotations opposed to one rotation counterclockwise.

Bottom line is that I'm going to try Foxit Software's PDF Reader (www.foxitsoftware.com/pdf/rd_intro.php) which is free and much smaller( the install program is about 1.5M compared to Adobe at about 20M.

Update 2-21-2007:

I find that Foxit works for over 99% of the time. the exception is when a site is specifically written to utilize Acrobat Reader

Vulnerability Details

The first was announced December 5th 2006 (http://www.adobe.com/support/security/bulletins/apsb06-20.html) by Adobe, and either required a dll replacement or an upgrade to Acrobat 8.

The second was a cross site scripting vulnerability announced at the 23rd CCC in December 2006 (http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html), and was not fixed by Adobe until about January 10th.

Tuesday, January 23, 2007

Anatomy of a Password

With my recent post concerning password tools it seemed like a good idea to discuss passwords and what makes a reasonable password. I wont get overly technical or as in depth as Perfect Passwords (http://www.syngress.com/catalog/?pid=3420) which is full of good advice for the average user and administrator.

The Good, Bad and Ugly

Good: Secure passwords are long and complex making it difficult anyone else to use your ID and password.

Bad: The hardest to type and remember are the long and complex passwords.

Ugly: Always forgetting those good passwords, using a sticky note to post the passwords on your monitor, using simple insecure passwords, etc.

The Balancing Act

Personally I use
Password Safe (http://passwordsafe.sourceforge.net) which I blogged about here. Even then a good password should be used to protect all your stored passwords. as an example password and abc123 are not good passwords.

The best passwords are long easily remembered and use upper and lower case letters, numbers and symbols (including spaces). I usually take a phrase, misspell some of the words, use capital letters in odd places and add unusual punctuation. As an example (and don't use this):

DoC+doktor w3re gona kr4sh#

Butchered from the following phrase:

doctor doctor we are going to crash

Not so Quick Quicktime Fix

Apple has released a fix (http://docs.info.apple.com/article.html?artnum=304989) for the Quicktime vulnerability first announced July 2nd, 2007 (http://www.kb.cert.org/vuls/id/442497).

Per the Apple site, URL above:

"Impact: Visiting malicious websites may lead to arbitrary code execution"

Password Tools

Passwords are the bane of security. Users hate them. Technical support spends too much time with password problems. Other options cost too much up front imagine spending thousands of dollars to setup a solution that costs an additional $100 or more for each user.

Different systems have different requirements for user IDs and passwords. Password expire at different times.

Some site use pre-defined questions and answers for password "recovery." Others require you to use your e-mail address to verify your identity.

Many people use a standard ID and password for multiple sites. Then there are those sites that won't work with the "standard." So a variant is used, but how many variants can be remembered?

What to do... write down IDs and passwords? Then you have to remember to change your paperwork when the password changes.... and how well does that work for most people.? Then there is the lost paper syndrome. There is no know recovery method for a lost password list.

Now let's look at standard IDs and passwords. With all the site hacked and compromised. It only takes one site to that is compromised to give the "keys to your kingdom" away. Imagine some minor site gets hacked and now your keys (standard ID, password, and e-mail address) are now public domain. It is a small step to access your e-mail. Monitoring e-mail reveals things like your bank...

What most people need is a secure password repository. A password repository needs to have a long complex master password. The master password is used to unencrypt the stored passwords and IDs. The repository should generate random passwords for use on sites. The repository has to allow automated use of the ID and password (it should not force a user to read and retype the password).

Password Safe

One option is Password Safe (http://passwordsafe.sourceforge.net). Password Safe is an open source windows application originally developed by Bruce Schneier's Counterpane Labs (http://www.counterpane.com/).

On the technical side Password Safe uses Twofish and SHA-256 for encryption since version 2.0. The original database used Blowfish and SHA-1. Since it is open source there are versions for other operating systems, but be careful about the data base encryption for compatablilty. Password Gorilla (http://www.fpx.de/fp/Software/Gorilla/) is a Tcl/TK version that will work with Windows, Mac and Linux, and uses the newer encryption (twofish and SHA-256).

On the usability side installation can install it on a thumb drive saving the settings to an ini file or on a hard drive using the registry. Password Safe can run on login. Either prompting for the master password or minimizing as a icon on the taskbar. A tree structure can be used for organization. Right clicking on an item provides several options including:

  • Open the website

  • Autotype the ID and password

  • Edit the entry

  • And more...

When editing an entry there are a number of options including generat a password. Options for this include the number of characters ans the character sets. ( a-z, A-Z, 0-9, punctuation symbols, etc.)

UPDATE 3/8/2007: U3

There is now a U3 version of Password Safe available.


RoboForm(http://www.roboform.com/) is a commercial password repository product. It includes a toolbar for your browser that simplifies its use. It will monitor your browser and save IDs and passwords with the "autosave" feature. With AES encryption the length of you password determines the strength of the algorithm.

AES key length depends on Master Password (MP) key length*:
  • 128 bit for MP less than 32 chars,
  • 192 bit for MP from 32 to 47 chars,
  • 256 bit for MP 48 chars or longer.
RoboForm has two variants designed for use with USB drives RoboGorm2Go (http://www.roboform.com/pass2go.html) for standard USB drives and RoboGorm2Go for U3 (http://www.roboform.com/pass2go-u3.html) that is designed for U3 (http://www.u3.com/) thumb drives. [Note:] U3 is designed to make U3 versions of programs portable storing registry information on the U3 USB drive. I have one and have mixed feelings about the technology.

Feature list*:
  • AutoSave passwords in browser.
  • AutoFill passwords to login form.
  • Click Login button for you.
  • Fill personal info into online forms.
  • Save offline passwords & notes.
  • Generate Secure Random Passwords.
  • Encrypt passwords and personal data using AES, Blowfish, RC6, 3-DES or 1-DES algorithms.
  • All personal info is stored on your computer only.
  • Take RoboForm with you on USB disk for ultimate portability.
  • Sync your passwords and notes to Palm or Pocket PC.
  • Backup & Restore, Print your passwords.
  • More features: drill down for more.
  • It is well-behaved: NO ADWARE, NO SPYWARE.
  • Works under Windows as an add-on to IE-based browsers.
  • Works with Netscape, Mozilla, Firefox under Windows.
* Taken from http://www.roboform.com/features.htm

Monday, January 22, 2007

Do you Java?

Sun Java has this nice "feature." Every time you update it the old version is left behind.

Which is great if you have some Java program that needs that version. For the rest of us it leave old, hopefully unused, vulnerable code laying around.

oh by the way it's not just a few megabytes. Per the MS "Add/Remove Programs" each version takes up between 60+ MB to over 100MB. Not that I've verified that I was more interested in removing the vulnerable code.

I have not found a better method than to sit there and remove them one by one hoping that it doesn't require a reboot... I know there are arguments for and against letting it reboot, but I want it off my system so I'll do as it requests to be on the save side.

UPDATE 1/23/07: The Internet Storm Center (http://isc.sans.org) has an article on the subiect (http://isc.sans.org/diary.html?storyid=2088) including a link on command line silent installs/uninstalls (http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/silent.html). The uninstall requires the proper executable that was used for the installation

Update 2/21/07: Test Results

The good installation is a snap and using PSEXEC allows remote installations without a hitch Return codes I found are 0 installed and 1603 already installed. One caveat if you use "\\*" as your target it will install on everything in the domain including servers.

Uninstalling fails and throws a window explaining the options for Windows Installer switches. I don't know if I missed anything, but after a half dozen tests I decided move on for now.

Update 2/22/07: Silent Uninstall Resolved:

The link above was for older versions of Java I found the newer documentation online and basically here is how to uninstall silently.

1.5.0 Update 10 AKA 5.0 Update 10
msiexec.exe /qn /x {3248F0A8-6813-11D6-A77B-00B0D0150100}

1.5.0 Update 11 AKA 5.0 Update 11
msiexec.exe /qn /x {3248F0A8-6813-11D6-A77B-00B0D0150110}

Where 1.5.0u10=0150100
and 1.5.0u11=0150110

Additional details here: (http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/silent.html#uninstalling)

Hello World

Every, or nearly every, programming course/tutorial starts with a "hello world" program. so in my initial post I pay my respects to this tradition.

I have been in the IT field for over 20 years and have worked, contracted and consulted to and for many companies in many capacities. Currently as I have my CISSP I am concentrating on security.

I plan using this blog to discuss security related topics, but reserve the right to wander off topic and follow tangents from time to time.

I have to thank Two Guys Named Joe: A technology podcast for the average Joe (http://www.2gnj.com) for getting me thinking about this. They invited me to be a guest on one of their podcasts (2gnj Episode 20: Security is everyone's concern), and found that I liked it.

I did decide that blogging would be a quicker, easier method. So here I am world.