There was an exploit released for a recent HP OpenView vulnerability that was disclosed a few days ago. The exploit is able to return a shell on version 7.5.1, and would only take a little more work to affect other versions. HP has not released an update for this vulnerability yet, but is expected to soon. In the mean time, restrict access to the OpenView NNM, which defaults to port 2954/tcp.
I really wanted to call this post How NOT to Sell Your Scanning Tool to Other Security Companies, but it seemed a little long.
Great….. That’s really just what you want to see…Looks like it went out to all PCI ASV companies. Fantastic, now I get spam based upon the PCI vendor list… I guess there is irony in the security business after all…
So, today, I was lucky enough to get spam from another security vendor with an offer to tell me all about how their company and tool can really help us be a better PCI ASV. I thought I would include it here, with some relevant commentary…
My name is Bob XXX and I am responsible for XXX PCI Compliance Partner Program.
Hi Bob. Just in case you are new to the security world, spam is not really cool and uninvited emails, especially those without an opt-out mechanism (like this one…) are really not much different than the guys selling V1agr4 and other junk via email. It basically uses other peoples’ time and resources without their consent…
A number of PCI ASVs use XXX products and services as a basis for their PCI Scanning offerings for the following reasons:
Wow! This is a great point. So, I can use your tool, just like other ASV providers and have even LESS to set me apart from my competition on the race to FREE scanning for PCI compliance. Ummm, thanks…
XXX PCI Scanning Solution
Wait for it… Here it comes…. The long list of “benefits” to me as a security provider…. Right….
… Is a leveraged investment providing unlimited scans and not a pay for every scan expense.
Well, at least I only have to pay for it like regular software and not that pay as you go model. Ummm… How is this a benefit for ASV companies? How is this different from Nessus and the plethora of other scanners that don’t follow the “Comodo model” (wait… aren’t they FREE for PCI scans now???)?
… Can accurately identify over 17,000 conditions which can decrease analyst review time; reducing time and cost.
I always love these numbers… Our toolset checks for more than 20,000 security issues… I hate adding these in, but a lot of clients always ask for them….Also, a definition of “accurately” would be appreciated. If you are suggesting that your tool has 17,000 checks that don’t create any false positives then I would say you are delusional. Be truthful, you say it reduces analyst time, but if an analyst still has to check them then we are again back to the definition of “accurate”…
… Is based on XXX XXX, a commercially available product, with ongoing investment in research and development to insure it is the most robust and accurate solution available.
So, “commercially available” translates to “better”? I would love to see you argue this with several security folks I can think of. How does commercial availability translate to quality? Are you implying that open source or propietary solutions are lesser because of their availability and lack of commercial cost? Is Linux less “robust and accurate” than Windows because it is open source or does the fact that Redhat sells a version of it make it more “robust and accurate” since it is commercial???
… Is supported by XXX’s award winning customer support organization.
Good. I am glad to hear you have won awards for support. How much support does the product need? Oh, wait, I think I see your implication – it’s that open source thing again isn’t it? Exactly what products are you attempting to compete against? I mean Nessus, which I would assume to be your primary target, has support too if you purchase the product. My guess is that this is a stab at the customer emotions and fears of newsgroup and mailing list support. Is that still an issue? I mean, especially since ASV companies are supposed to be the experts with their scanning tools, how does this translate to something I should be concerned about? Don’t my technicians know their tools well enough to not need the usual technical support?
… Can provide a strategic foundation for other revenue generating services such as
Ø Web Application Scanning
Ø Vulnerability Risk Management Scanning
Ø Configuration Compliance solutions
Now this is interesting… At first, I took it to mean that the tool did all of this… But it just says that it provides a “strategic foundation” for generating revenue from other services… What exactly is “Vulnerability Risk Management Scanning”? How is that different from traditional vulnerability scanning? Does it measure, quantify or create metrics somehow that communicate real-world risk, or is this just the usual H/M/L stuff like always? As for the revenue, would that be revenue for the ASV or for XXX? Both? On the good news front, I am pretty glad to see that you mentioned scans for web application issues, that is a good thing and at least you got this right…
I would like the opportunity to discuss your current solution and answer any questions about XXX to determine if we are an attractive alternative.
If you are interested in learning more, please respond to me so we can coordinate a day/time for a phone conversation.
Ummm…. Thanks, but no thanks. First, my company is an ASV. To become an ASV we had to do some scanning and testing. Thus, we already have tools. We also already appear to have tools that are superior to yours, at least in our opinion.
But, the number one reason I would not buy from your company is that one of the first rules of e-commerce security is don’t purchase things from unsolicited emails; it only encourages more spam. In addition, it just doesn’t fit my ethical compass to support security vendors who would engage in “spammy practices”. Good luck, Bob, but I think you might want to think about your email marketing approach a little bit more…
Several new and updated tools have been released recently. These are mostly aimed at application scanning, specifically getting into the backend database. While it’s no surprise that these tools keep coming, we just want to reinforce the need for better application security. We don’t anticipate an end to attacker tools anytime soon, so keep your guards up 😉
Authors: Anjum & Mouchtaris
Publisher: Wiley
Cost: $75.00
Rating: 3 out of 5
This book reads like a PHD thesis. It is long on technical and mathematic detail and a little short on real-world scenarios. The examples are well researched and deeply technical. While the reading is a little tedious, those seeking an in depth understanding of wireless security will benefit greatly from this book.
At just under 250 pages it’s likely to take longer than a weekend to complete the read, but especially if you’re a mathematical genius, this book should be right up your alley. One of the highlights of the book is the content that relates to intrusion detection systems. The section did an excellent job of explaining various techniques and architectures for wireless intrusion detection. This content will be especially interesting to engineers and vendors in the wireless security space.
Adobe has released a new version of their flash plugin. The new version fixes a recent vulnerability that was exploited during a contest to compromise a fully patched Windows Vista machine. The update also fixes other disclosed vulnerabilities known to exist in older versions of the Flash plugin. MicroSolved recommends that all users update to the newest version immediately. This can be done by downloading at Abode’s website, or through the Flash auto updater.
Vulnerabilities in various third-party file viewing applications can leave systems using Lotus Notes open to compromise. In specific situations, specially crafted files can allow for the execution of arbitrary code. Lotus Notes versions 7.0.3 and 8.0 are known to be vulnerable, other versions may also have issues. The file types that can be used to leverage this vulnerability are:
Applix Presents (.ag)
Folio Flat File (.fff)
HTML speed reader (.htm)
KeyView document viewing engine
Text mail (MIME)
These issues were originally discovered by the Secunia Research team. More information can be found at: http://secunia.com/advisories/28210
IBM’s response, including remediation suggestions is available at: http://www.ibm.com/support/docview.wss?rs=463&uid=swg21298453
Microsoft released a total of 5 Critical and 3 Important security bulletins for the month of April. The breakdown is as follows:
MS08-018 – Critical – Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)
Undisclosed vulnerabilities in Microsoft Office Project. These could allow an attacker to use a specially crafted Project file to take complete control of the affected system.
Affected software:
Microsoft Project 2000 Service Release 1 (KB949043)
Microsoft Project 2002 Service Pack 1 (KB949005)
Microsoft Project 2003 Service Pack 2 (KB948962)
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-018.mspx
MS08-021 – Critical – Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
Undisclosed vulnerabilities in GDI. These could allow an attacker to use a specially crafted EMF or WMF image files to take complete control of the affected system.
Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
(Note that for the above platforms MS08-021 replaces MS07-046)
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
MS08-022 – Critical – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
Undisclosed vulnerabilities in the VBScript and JScript scripting engines. These could allow an attacker to take complete control of the affected system.
Affected Software
VBScript 5.1 and JScript 5.1 on Microsoft Windows 2000 Service Pack 4
VBScript 5.6 and JScript 5.6 on Microsoft Windows 2000 Service Pack 4
VBScript 5.6 and JScript 5.6 on Windows XP Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
VBScript 5.6 and JScript 5.6 on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
(Note that for the above platforms MS08-022 replaces MS06-023)
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-022.mspx
MS08-023 – Critical – Security Update of ActiveX Kill Bits (948881)
An undisclosed vulnerability for ActiveX components. The vulnerability could allow an attacker to use a specially crafted Web page as a vector for remote code execution. The
severity of any compromise may depend upon the level of administrative rights of the user account.
Affected Software:
Microsoft Windows 2000 Service Pack 4 with Internet Explorer 5.01 Service Pack 4
Microsoft Windows 2000 Service Pack 4 with Internet Explorer 6 Service Pack 1
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-023.mspx
MS08-024 – Critical – Cumulative Security Update for Internet Explorer (947864)
This security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Windows 2000 Service Pack 4
with Internet Explorer 5.01 Service Pack 4
or Internet Explorer 6 Service Pack 1
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
with Internet Explorer 6
Windows XP Service Pack 2
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
with Internet Explorer 7
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx
MS08-020 – Important – Vulnerability in DNS Client Could Allow Spoofing (945553)
An undisclosed vulnerability that could allow an attacker to spoof or redirect Internet traffic on affected systems.
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-020.mspx
MS08-025 – Important –Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)
An undisclosed vulnerability in the Windows kernel. Can allow a local attacker to take complete control of an affected system.
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-025.mspx
MS08-019 – Important –Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)
Undisclosed vulnerabilities in Microsoft Office Visio. These could allow an attacker to use specially crafted Visio files to perform remote code execution or take complete control of an affected system.
For full details see the original advisory at:
http://www.microsoft.com/technet/security/bulletin/ms08-019.mspx
MSI is proud to release a new tool to help security managers analyze the overall balance, maturity and capability of their security program. The new tool is a simple matrix based around quantifying the amount of controls, efforts and processes you are employing.
Using the tool as brainstorming aid is also possible. Security engineers have told us that the process works for them to analyze particular applications and other security undertakings. Simply build out the matrix on paper or in your chosen office product and it should help you clarify where your security initiative stands.
Effective, mature security programs should be well rounded in the matrix and should be well balanced between all of the cells. They also tend to balance out between strategic and tactical approaches.
Feel free to give us feedback on this project and let us know if we can answer any questions you may have.
You can obtain the relevant file here.
It is licensed under Creative Commons. Check out the PDF for details.
This just in from the “No, we swear this isn’t propaganda” department.
The TSA seems to have added a section to their web site where you can keep tabs on just what they have been up to this week. You can check it out here.
As of this moment, here is what they have been doing so far this week:
* 15 passengers were arrested due to suspicious behavior or fraudulent travel documents
* 18 firearms found at checkpoints
* 12 incidents that involved a checkpoint closure, terminal evacuation or sterile area breach
* 16 disruptive passengers on flights
So, basically, according to those figures – they apparently have worked 61 “incidents” this week alone. Unfortunately, what they don’t seem to show is a graphic that shows where this lies as a historical piece of data. Wouldn’t it be whiz bang cool if they had a graph that showed historic trending? Maybe they could also do some sort of predictive “threat radar” that could turn various colors and make beeping sounds when they think more disruptive passengers are expected- like say the next time airlines go out of business, strand travelers, treat them without dignity – oh wait, that seems to be usual air travel today. No wonder they don’t have any sort of historic metrics…
I also particularly liked the large window at the top of the page that currently says something to the effect of “Chilling details have emerged about a trans-atlantic terror plot.” I am pretty sure that’s what I want to read from the TSA – horror stories. Is it just me or does this stuff seem like maybe it belongs someplace else? I really don’t want to view that material from the government group that’s supposed to protect me. Sure, you have the details. Sure, you might even have caught them, but I also think it induces more fear than it calms and reassures.
Hey TSA, how about a lot less marketing and a lot more focus on the presenting the details that we NEED TO KNOW. Please, refrain from using FUD to justify your presence in our lives and your budget dollars. Thanks!!!
I was astounded at this posting this morning in Credit Union Times.
These types of offers always make me cringe when I see them. At first blush, they may seem like a good idea. Why not, after all, we all want to believe that our application is secure and we all want something for free. This certainly seems like the best of both worlds. How could this be bad?
Well, first off, security testing choices should not be based on price. They should be based on risk. The goal is to reduce the risk that any given operation (application, network, system, process, etc.) presents to the organization to a level that is manageable. Trust me, I have been in the security business for 20 years and all vendor processes are NOT created equal. Many variations exist in depth, skill level, scope, reporting capability, experience, etc. As such, selecting security testing vendors based upon price is a really really really bad idea. Matching vendors specific experience, reporting styles and technical capabilities to your environment and needs is a far better solution for too many reasons to expound upon here.
Second, the “find vulnerabilities or it’s free” mentality can really back fire for everyone involved. It’s hard enough for developers and technical teams to take their lumps from a security test when holes emerge, but to now also tie that to price makes it doubly difficult for them to take. “Great, I pay now because Tommy made some silly mistake!” is just one possibility. How do you think management may handle that? What about Tommy? Believe me, there can be long term side effects for Tommy’s career, especially if he is also blamed for breaking the team’s budget in addition to causing them to fail an audit.
Thirdly, it actually encourages the security assessment team to make mountains out of mole hills. Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically built on severity (it’s human nature), then it certainly (even if only unconsciously) behooves the security team to note even small issues as serious security holes. In our experience, this can drastically impact the perceived risk of identified security issues in both technicians and management and has even been known to cause knee-jerk reactions and unneeded panic when reports arrive that show things like simple information leakage as “critical vulnerabilities”. Clearly, if the vendor is not extremely careful and mindful of ethical behavior among their teams, you can get serious skewed views between perceived risk and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.
Lastly, I am the first to admit that such marketing approaches simply “bother me”. They lend a certain air of “used car dealer” salesmanship to the security industry. This is hardly something that, in my opinion, our industry needs. We are already working hard to overcome the idea that many vendors have glommed onto for decades – that fear sells products. This enough challenge for us for now, so the last thing we need is for our industry to be viewed as is another marketplace full of “gimmicks”.
In my opinion, let’s stick to plain old value. My organization helps you find and manage your risk. We help you focus on the specific technical vulnerabilities in networks, systems, applications and operations that attackers could exploit to cause you damage. To do this, my company employs security engineers. These deeply skilled experts earn a wage and thus cost money. Our services are based around the idea that the work we do has value. The damages that we prevent from occurring save your company money. Some of that money pays us for our services and thus, we pay our experts. Value. End of story.
No gimmicks, sales hype or catchy marketing will ever replace value or the truth. Between you and me, I think that’s a very good thing!