More on DNS Security Issue Management – Know & Control DNS + SOHO Issues

Posted on by
Reply

Just added this to Revision 2 of the whitepaper:

Attack Vector Management

Part of mitigating the risk of this security issue is also managing the availability of the attack vector. In this case, it is essential that security teams understand how DNS resolution operates in their environment. DNS resolution must be controlled to the greatest extent possible. That means that all servers and workstations MUST be configured to use a set of known, trusted and approved DNS servers whenever possible. In addition, proper egress filtering should be implemented to prevent external DNS resolution and contact with port 53 on unknown systems. Without control over desktop and server DNS use, the attack vector available for exploitation becomes unmanageably large. Upper management must support the adoption of these controls in order to prevent compromise as this and other DNS vulnerabilities evolve.

Home User and Small Office Vulnerability

Home users and small offices (or enclaves within larger organizations) should pay careful attention to how their DNS resolution takes place. Many home and small business firewall devices such as Linksys, D-Link, Netgear, etc. are likely to be vulnerable to these attacks and are quite UNLIKELY to be patched to current firmware levels. Efforts must be made to educate home and small office users about this issue and to update all of these devices as the patches and upgrades to their firmware becomes available.

DNS Security Issue Overview & Mitigation Whitepaper

Posted on by
Reply

Our engineering team has analyzed the available data on this emerging security issue and the fixes identified. As such, we have prepared the following white paper for our clients and readers.

Please review the paper and feel free to distribute it to your management team, co-workers and others who need to be involved in understanding and remediating the problems emerging with DNS.

You can obtain the white paper here.

If your organization needs any assistance in understanding or managing this vulnerability, please do not hesitate to contact us. We would be happy to assist in any way possible.

HoneyPoint Security Server Console Upgrade and New Deployment Worksheet Available

Posted on by
Reply

A new release of HoneyPoint Security Server Console was released today. Version 2.51 includes two bug fixes and several library upgrades. The new release seems to be a bit faster on Windows systems, likely due to upgrades in the back-end libraries.

The new version fixes a bug in the math of the email alerts to system administrators where the wrong event counts would be included. It also repairs a bug that caused a crash on some systems when changing the status of multiple events. While neither of these bugs are critical, we thought the speed changes were worth a release.

The new version also includes the recently updated User Guide that now includes full instructions for installing the HPoints as a service or daemon using common tools or the tools from the resource kit.

We are also pretty happy to announce the availability of a deployment worksheet that guides new users through the deployment of the console and HPoints and helps them gather and define the information needed to do a full roll out.

We are hard at work on new HPoints and we have several that are finishing the testing process, so stay tuned for more releases soon. Updates are also underway to the Personal Edition (including a whole new GUI) and we are just starting to plan for version 3 of the console, so if you have suggestions, send them in.

Both the updates and the deployment guide are now available on the FTP server. Please use your credentials assigned when you made your product purchase to download them. If you need assistance, simply give us a call!

Office Access Remote Code Execution

Posted on by
Reply

Microsoft Office Access 2000, 2002, and 2003 contain a vulnerable ActiveX control. This control is a component that enables a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. This can be exploited by malicious websites to take complete control (execute code remotely) over a visitors system. The ideal mitigation is to disable the affected ActiveX control by setting the killbit for the affected CLSIDs. Those CLSID’s are F0E42D50-368C-11D0-AD81-00A0C90DC8D9, F0E42D60-368C-11D0-AD81-00A0C90DC8D9, F2175210-368C-11D0-AD81-00A0C90DC8D9. See http://support.microsoft.com/kb/240797 for more information on setting the killbit.

Corporate Data Classification

Posted on by
Reply

One of the most urgent steps that many organizations are facing in their information security program is that of data classification. While this, and role-based access controls, are two of the most critical processes in the changing security landscape, they are also two of the most painful. Many organizations do not even know where their data is located, stored, processed or used to a full extent and are spending a great deal of resources just understanding “what they have” and “how it is used”.

While knowing where the data is and how it is used is essential, organizations must also embrace some type of mechanism for classifying data. In some cases this can be as easy as creating a standard set of data definitions such as Private Identity Data, Internal Use Only, Customer Confidential, etc. and then building a policy around how data of each type is to be created, managed, stored, processes, handled and destroyed. For many small businesses, this can be a relatively small undertaking and when done right can provide a real improvement in security – IF EVERYONE FOLLOWS THE RULES.

In larger organizations, classifications may be more diverse. There may be Private Employee Identity Data, Private Employee Healthcare Data, Customer Private Identity Data, Internal Use Only, Customer Confidential or others. Many organizations even go a little wild with this and build small acronyms and/or a legend into their policy so that you can label a word document of a contract with a client something like CCC for Customer Confidential – Contracts” or even worse, they will add a department code followed by some acronym that the department heads have made up. This is where the pain gets excruciating!

At MSI, we are big supporters of keeping the classifications as simple as possible. In most cases we are able to stick with “PII” for personal identity information, “Internal Use Only” for sensitive data not to be released outside of the company, “Confidential” for data that must be protected from all eyes except the intended participants and maybe a small set of divisions for other data outside of these such as HR, Finance, M&A, HIPAA, GLBA, etc. depending on what groups need to access the data or what regulations apply to the data. Of course, these can then be added to folder names, document headers, meta-tags and the myriad of other places used to quickly identify data.

Once you get your head around a working group of classifications, then comes the next task – identifying the appropriate controls for each type of data. That process takes experience, insight into specific business processes and a lot of patience. Start with data classification, though, and then build from there. As security evolves and becomes more nuanced, those with data classification schemes in place will be ahead of the coming curve. In the future, not all data will be treated or regulated the same, so make it easy on yourself and get started with data classification as soon as you can!

Microsoft Patches For July 2008

Posted on by
Reply

Tomorrow, Microsoft is releasing four security updates for multiple issues affecting Windows, Microsoft SQL Server and Microsoft Exchange Server. All four updates carry a rating of “important”, no “critical” updates on this round. Surprisingly, there’s no update for recent IE vulnerabilities. As usual, these updates should be tested and rolled out as soon as possible.

Sun Java System Access Manager XSLT/XML Vulnerabilities

Posted on by
Reply

A remote user may be able to execute arbitrary code in the context of the Access Manager application. The use would need to create an XML signature that would be viewed locally with the Access Manager. The privileges of the Access manager would be the same as web container application that it is run from. This could result in access to the hosting system.

The original advisory is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-201538-1

IE6 and IE7 Vulnerable

Posted on by
Reply

A vulnerability in IE7 allows for websites to modify the location of another frame in another window by setting the location to an object instead of a string.This could lead to malicious sites loading content into frames of legitimate sites.

An input validation vulnerability in IE6 could result in the execution of arbitrary script code. This is due to errors in the handling of properties of a window object. Users should upgrade to IE7 as it is not affected by this vulnerability.

Microsoft SQL Injection Security Advisory

Posted on by
Reply

Microsoft has released a security advisory in response to the rapid increase in SQL injection attacks that have happened lately. This advisory was released to assist Web site administrators in identifying SQL injection issues within their Web application code, and to provide temporary solutions to mitigate SQL injection attacks against the server. The full advisory can be found at http://www.microsoft.com/technet/security/advisory/954462.mspx

It’s good to see Microsoft release such an advisory with explicit details on how to mitigate current issues and avoid SQL injection in the future. We have seen too many applications vulnerable to SQL injection, no matter if they’re ASP, PHP, Perl, Ruby or anything else. If you’re an ASP developer be sure to read this advisory and implement the listed strategies when coding, if you haven’t already.

Project Pre-Release – Vulnerabilities in Popular Content Management Systems Under Study

Posted on by
Reply

Over the next few weeks you will see more details from us about a project that we have been working on. As a part of our relationship with Syhunt, one of our elite partners for application security work, we have been testing and reviewing their new tool, Sandcat4PHP. The tool is a sophisticated and user friendly source code scanner for performing deep analysis of PHP applications including their surrounding javascript and HTML components.

Stay posted here for a pretty in-depth review of the new tool, its use and capabilities. We will be doing that review as a part of the project as well.

First, let me start with the purpose and the scope of the project. In the last few months we have worked with a number of clients who have had issues with the security of their content management system. More than a few of them are using popular products, but several are using proprietary tools as well. As such, we have worked on a few incidents and application reviews. That led to a pretty in-depth discussion between a couple of clients and ourselves about the state of content management system security, in general. As an off shoot of that discussion, we decided to test 5 of the most popular content managers using the new Syhunt PHP scanner, since we needed to review it anyway.

Next, we obtained a couple of lists of popular content managers. Selecting our five was pretty easy and we settled on the following:

WordPress, Joomla!, Mambo, Drupal and BitWeaver

We then downloaded the current versions of the CMS (as of that day, a couple of weeks ago…) and set up our testing environment.

We assessed the entire package, but only as downloaded from the web site. That means in most cases, that we tested only the core components and not any additional modules, plugins or components. We considered whatever was in the default download to be the basis for our work.

To date, we have begun our assessments and review of the CMS tools. We will be in contact with each of the CMS projects about the findings of the assessments and they will receive the details of the tool’s findings prior to public release of the technical details. Statistical and numeric data will also be forthcoming.

For now just let us say that we are evaluating our findings and that the tool performed very very well.

I look forward to sharing the details with everyone in the coming days.

Let me know if you have any questions about the product, the project or the work.