I had major hardware problems earlier this week which completely destroyed my main system. CPU’s, Hard drive, video card, motherboard, all toast. The only thing I could save from the system was the CD and DVD-RW drives. Luckily, everything that was really important to me was backed up on another computer. On the other hand, I’m sure that I’ll find that there’s a document on the old hard drive that I’m really, really going to need some day.
Since I’m rebuilding the system, I have a question: What are the first programs you install on a new system when you build it? This question was raised on Slashdot earlier this week, but I’m wondering what other security professionals put on their computers first thing.
Here’s what I installed, pretty much in order:
OS: Win2k Server
Video drivers (Nvidia): I can’t stand working at 640×480, and my systems are behind a couple of firewalls, so I wasn’t worried about instant infection from the internet.
Patch, patch, patch the OS.
GRISoft AVG AntiVirus
City of Heroes (I admit it, I have always secretly wanted to be a super-hero, and this game is about as close to it as I’ll ever come.)
I haven’t heard of any active viruses out there using the latest SSL vulnerability in IIS, but there is an exploit tool, and it is apparently being used. Microsoft is taking this one seriously, to the point that they are calling people directly to tell them to patch. Or at least that’s what one comment I received says. I’ve never heard of Microsoft calling an admin to patch their systems, but there’s a first for everything. I’m not sure if I like that. If they start emailing patches to people, I’ll be really concerned; I’ve always told my users to delete any email coming from Microsoft with attachments, since MS doesn’t do that. Oh well, I’ll burn that bridge when I come to it.
One of the (many) mailing lists I subscribe to is the Snort Signature list. Yesterday a signature for the SSL exploit was posted, by … I’m not sure who; the email is replied and forwarded, making identification difficult. If this is your Snort signature, let me know and I’ll post the credit. In any case, here’s the signature, which I haven’t tested yet. Your mileage may vary. If you have a better or different signature, let m e know.
alert tcp any any -> $HOME_NET 443 (msg:”MS04-011 SSL exploit (THCIISSLame by Johnny Cyberpunk)”; sid:900034;content:”|54 48 43 4F 57 4E 5A 49 49 53 21 32 5E BE 98|”;within:36;)
Here’s a link to an article from SearchSecurity.com on the nature of the TCP vulnerability disclosed earlier this week. The article has several good links directly to the sources of information on the vulnerability and how to defend against it. It presents the vulnerability as another reason to be cautious, but urges us not to panic.
I agree with this point of view. We need to be aware of the vulnerability and take appropriate steps to mitigate the problem. The solution to the vulnerability is simple, a minor configuration change to enable MD5 signatures on BGP traffic. What worries me is this now becomes another configuration line we have to remember to in each and every edge router from now on. Another entry in the ‘Best Practices’ manual. This stuff continues to build up.
Someone, somewhere, soon is going to get hit on this one, hopefully not in too harmful of a way. I hope most companies are taking the time to defend themselves now, before the automated tools hit the mainstream. We don’t need to panic, but we need to be aware that the script kiddie tools will come out and we need to be protected before they do. How’s the saying go? “Plan for the worst, hope for the best.”
I’ve included the full text of the article in the extended entry to preserve the links. Please refer to the original article if your going to do any linking.
Continue Reading »