Archive for March, 2004

Mar 31 2004

ISS sucks

Published by under Security Advisories

It’s pretty much accepted as standard in the software industry that if you have a vulnerability in your product, you offer up a patch to your customers, past and present, for free. ISS doesn’t feel that rule should apply to them. Last week the Witty worm (Trend Micro)(Symantec) was released, targeting a vulnerability in BlackIce and other products from ISS. ISS had had a fix out for the vulnerability, but it was only available for customers who have current licenses, since it was not a patch, but an upgrade to the latest version of BlackIce. Customers who had let their licenses lapse were, and still are, out of luck.

This article from ZDNet UK highlights the issue. I purchased BlackIce for use at home two years ago on the advice of a co-worker. I was moderately happy with it, but when it came time to renew the license, I passed. For $40, BlackIce is a pretty good program, but for $20/year, I’m just don’t find the value to be there. I have a number of other protections on all of my systems, such as two firewalls between me and the Internet, antivirus software and several other freeware/shareware programs designed to protect my computers. BlackIce was redundant, but I like having multiple layers of security on my computers.

So I left BlackIce on the system, but didn’t upgrade it. I figured the basic functionality wasn’t going to change all that much, so I would get 90% of the protection without having to worry about a patch breaking the system, as so often happens. Now I find that rather than adding to my security, having BlackIce on my computer actually makes my computer more vulnerable to attack than ever, and there is nothing I can do, except dump BlackIce or pay ISS $20 to renew my license. Guess which one I’m going to do.

So what is the responsibility of software companies concerning their out of license customers? I think so. ISS is setting a dangerous precident, one which I’m sure Microsoft would love to follow; you, the customer must continue to pay for the product through licensing fees if you want to have patches for the product, despite the fact it was flawed when it shipped. Pressure needs to be applied to ISS concerning this issue; emails, letters, blog entries (;-)), press releases, whatever it takes to get them to change their mind. The product was broken when you sold it, you need to fix it for free, not expect me to pay for the patch.

Let me know your opinion on the matter.

One response so far

Mar 26 2004

Nice Analysis tool

Published by under General

I haven’t tried this out yet, but here’s a nice tool called FLAG (Forensics and Log Analysis GUI). One of the things I like the most about it is that not only does it allow you to perform all of your analysis through a database, but they also allow you the option of using a Knoppix image to make a bootable linux kernel for the program. You can also look at the nicer version of the web page on Australian Defence site.

Comments Off

Mar 26 2004

Analysis of the Witty Worm

Published by under Malware

The Spread of the Witty Worm – CAIDA : ANALYSIS : security : witty

This is the type of stuff I would like to see more of out there on the web. It’s also the kind of stuff I wish I had the time to do myself. But between reviewing IDS logs at work and changing diapers at home, spare time is not something I have a lot of. Hmmm, I could do a comparison of the similarities between log files and poopy diapers; there’s a lot of crap in both.

Comments Off

Mar 24 2004

Rooting a box

Published by under Hacking

Here is a step-by-step article on how a penetration tester comprimised a client’s network. The article is on webpronews.com, and I got the link from joatblog. One of these days I’m really going to take the time to figure out the trackback feature in MT. Really.

Comments Off

Mar 17 2004

Some times its just good to be alive

Published by under General

For those of you living elsewhere, spring has sprung in Northern California. That means days in the low 80′s without a cloud in the sky, nights in the 50′s, and lots of sun. Makes it hard to stay inside and work when you could be out taking a hike or kayaking instead. Days like this are why people from all around the world dream of coming to California. And I’ve been thinking about leaving?

Late last year I was burnt out at work. One possible solution I came up with was to move out of California. With the coming of spring and the ability to get out on the weekends, I’ve really been able to work out some of the stress. Maybe I can stick with it now, at least through the summer. It also helps to have interesting new projects.

I like to balance the work portion of my life with the play portion. I need to spend as much time away from the keyboard and mouse as I can get away with. All the outdoor stuff hopefully makes up for sitting in a chair or drivers seat for over 11 hours a day, 4-5 days a week.

So get up out of that chair this weekend and go for a hike, or go kayaking, or go geocaching, or go orienteering, or whatever you want. As long as you get away from the keyboard for a couple hours and do something physical, fun and outside! Unluckily, my wife is convinced that physical and outside mean doing yard work. Not fun, but two out of three ain’t bad.

Comments Off

Mar 09 2004

Scary uses for Google

Published by under Hacking

I use Google every day and I think I’ve become pretty good at finding the stuff I’m looking for. But this article made me realize two things:

1) Google has a whole mess of functionality that I have barely touched
2) There is enough information out there that hackers don’t even need script kiddy skills. With the number of people exposing their passwords to Google, hackers can spend all their time just logging into systems that have exposed passwords.

I like Security Focus. I just wish that they didn’t scare me sometimes. This article scares me.

One response so far

Mar 09 2004

HIPPA gives me a headache

Published by under General

If you’re like me, trying to make sense of HIPAA (and most of the other security regulations out there) leaves you reaching for the closest bottle of Tylenol or Aleve. So here’s a link to an article on SecurityFocus that spells out what HIPAA regulations mean in the real world in relatively simple terms. If anyone is listening, can you please do a disection of Graham-Leach-Bliley and Sarbanes-Oxley (sp?) next. I’ve already read California’s SB1386. I love laws like SB1386 that look impressive, but are toothless and unenforcable. Not!

Comments Off

Mar 04 2004

Is the latest Bagle variant the future of worms?

Published by under Malware

Like I said yesterday, the latest version of the Bagle worms are using password protected zip files to bypass many of the mail gateways out there. Normally the gateways unzip the compressed attachment, scan the files, then send on the attachment if nothing is detected. Bagle now blocks that by password protecting the file and putting the password in the email. Here’s some background info from the the Internet Storm Center.

On one of the lists I monitor, someone asked if this was the future of worms (I have to stop being so quick to delete emails). Personally, I don’t think so. Encrypting the payload with a password does help get the worm past the gateways, but it then requires human intervention to activate. Most of the really big worms out there have had little or no human intervention involved; they exploit vulnerabilities on systems automatically, and may not even be noticed by the victim. Also, I think it’s only a matter of time before the anti-virus companies figure out how to scan for viruses despite the password protection.

Using password-protected zip files is another tool to be used by hackers, but I think it’s only a blip on the radar of the virus world. It was successful right now because it caught us by suprise, though it really shouldn’t of. Many businesses were safe because they block zipped traffic by default. I hope the home users are learning, but it’s just a faint hope.

What’s your opinion on the future of virii, worms and trojans?

Comments Off

Mar 03 2004

Bagle.G,H,I, ad nauseum

Published by under Malware

I find it interesting that no matter what the technical vulnerabilities we have on our systems, the more successful worms come back to our single biggest weakness: the human element. Recent versions of the Bagle virus are zipping up their attachment, which normally isn’t a problem, but then they are password protecting it. The password for zip is included in the email, and requires the end user to type in the password to infect themselves. And people are doing it out there.

We try to educate our users, or at least I hope we do. But some people just don’t get it. I remember the ILoveU virus; one of our engineers infected the network every other day for nearly two weeks, despite repeated warnings. I’m still not sure why he thought that the same action would bring different results. We finally had to disable his ability to use Visual Basic programs.

No matter how many layers of protection we heap upon our networks, human beings will find a way to mess it up. Not that I’m a cynic or anything. Well, actually, I am, but that doesn’t change the reality of the situation. We can try to educate until we’re blue in the face, but some people will never understand. *Big sigh*

Comments Off

Mar 02 2004

CERT … or is it CIRT … or CSIRT

Published by under General

CERT = Computer Emergency Response Team
CIRT = Computer Incident Response Team
CSIRT = Computer Security Incident Response Team

When you boil it down to basics, all three acronyms mean the same thing, a team of first responders and handlers for a computer-based incident. The rest of it is just flavor text based on who is running the show. A lot of the naming is in the politics behind the creation of the team. And I hate politics.

If you, like me, are somehow involved in the formation or operation of a CIRT (I’ll use this term, as it is probably the most generic) organization, then the following links will hopefully help you. The one hint I have for you is this: You better have management backing before you even try to get a CIRT going.

Here are the links:

2 responses so far